JP4348227B2 - Hierarchical packet processing system, relay device, server, method thereof, and program thereof - Google Patents

Description

  The present invention relates to a packet relay technique for performing a filtering process when relaying a packet.

In recent years, packet relay apparatuses are equipped with advanced filter processing to shut out inadvertent communication.
In particular, a technique called stateful inspection can finely control whether or not a packet is allowed to pass by monitoring the state of a communication session higher than the IP layer.

  In the stateful inspection, each time a packet is received, the connection is recognized, the state of each connection is updated, and whether or not the packet is allowed to pass is determined according to the filter condition. While the above processing is necessary for almost all packets, it is not limited to simple packet processing such as monitoring of the upper layer header and payload portion of the packet, state management, and packet defragmentation / refragmentation. For this reason, if hardware is used, the scale of the apparatus becomes large.

  Therefore, a method using a network processor is also conceivable. However, this method has proven to be difficult to implement in practice, such as not having sufficient performance, and limited programmable memory.

On the other hand, when a detailed analysis of a packet is performed in a relay process of a network connection device in a system composed of a server and a network connection device, there is a technique for distributing the packet to the server and performing detailed analysis. In this technique, first, it is necessary to make the policy table recognize the server that is the distribution destination. When receiving the packet, the processing distribution unit that distributes the packet to the service processing unit transfers the packet to the service processing unit or a predetermined server based on the policy table. By this transfer, processing is distributed to the outside, and the processing burden on the network connection device can be reduced (see Patent Document 1).
JP 2002-359637 A

  As described above, in the technique of distributing the packet to the server, the distribution destination is designated in the policy table. As a result, the processing distribution unit can distribute the processing to each service processing unit or an external server.

  However, if the server that is the distribution destination is frequently moved or the service provided by the server is changed, the server of the distribution destination specified in the policy table must be specified again.

For this reason, the adjustment of the relay device based on the addition or change of the server has caused a great deal of trouble, which is a problem.
Accordingly, an object of the present invention is to provide a hierarchical packet processing technique that is suitable for addition / change of a server that performs service processing and that realizes high-speed relay processing.

In order to solve the above problems, the present invention is configured as follows.
One aspect of the hierarchical packet processing system of the present invention is based on the premise that the relay unit includes a relay unit and a server that perform service processing on the received packet and relays the received packet. A calling unit that calls a predetermined service processing unit that performs service processing on a packet, a first service processing unit that performs service processing on the received packet by calling the calling unit, and a calling of the calling unit A second service processing unit that virtually performs a service process on the received packet, and when the second service processing unit is called from the calling unit, the server includes: Instead, an external service processing unit that performs arbitrary service processing on the received packet is provided.

  When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for subsequent received packets is subsequently called by the calling unit. Alternatively, the service processing unit may be configured.

In addition, the external service processing unit may be configured to perform the service processing by using a free time of a CPU used in the relay process of the received packet in the relay unit.
The external service processing unit further detects a state of an upper layer of the received packet based on a detection result of the state of the upper layer. The connection state of the received packet managed by the connection state management unit is updated, and the same connection packet received by the relay unit is updated by the connection of the connection state management unit updated by the external service processing unit. Desirably, the filter processing is performed based on the state.

  The virtual service processing unit manages information on a server that performs service processing and service processing identification information provided by the server according to the type of packet in order to distribute service processing on the received packet to the server. The service list management unit may be configured such that the server includes a transfer unit that transfers information of the self server and an identifier of a service process provided by the self server to the service list management unit. desirable.

  One aspect of the relay apparatus of the present invention is based on the premise that the received packet is subjected to service processing and the received packet is relayed, and a predetermined service processing unit that performs service processing on the received packet is called. A calling unit; a first service processing unit that performs service processing on the received packet by calling the calling unit; and a second service processing that virtually performs service processing on the received packet by calling the calling unit. A connection state management unit that manages information based on detection of a state of an upper layer of the received packet, and when the second service processing unit is called from the calling unit, predetermined information in the received packet is A transmitting unit for transmitting to a predetermined server, a receiving unit for receiving information transmitted from the server, and the received result as described above. A filtering process for performing filtering on the same connection packet with respect to the reflection packet or the reflection unit reflected in the information managed by the connection state management unit based on the post-reflection information managed by the connection state management unit And a portion.

  When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for subsequent received packets is subsequently called by the calling unit. Alternatively, the service processing unit may be configured.

  In addition, the second service processing unit distributes service processing for the received packet to the server, so that information on the server that performs the service processing and identification information of the service processing provided by the server are determined according to the type of packet. It is desirable to have a service list management unit to manage.

  One aspect of the server according to the present invention is based on the premise that predetermined information in a packet received by a relay device is received from the relay device, and a connection state management unit that manages a connection state, An upper layer detection unit that detects a higher layer state and performs service processing, and the connection of the packet managed by the connection state management unit based on the upper layer state of the packet detected by the upper layer detection unit A connection state updating unit that updates the state; and a transmission unit that transmits the result of the service processing and the update information of the connection state to the relay device.

  Note that the server provides information on its own server to the service list management unit of the relay apparatus that manages information on a server that performs service processing and identification information on service processing provided by the server according to the type of packet. It is desirable to have a transfer unit that transfers the service processing identifier provided by the self-server.

  One aspect of the method of the present invention is based on the premise that the method is performed in a hierarchical packet processing system including a relay unit and a server that performs service processing on a received packet and relays the received packet. Calls the first or second service processing unit that performs service processing on the received packet, and when the first service processing unit is called by the call, performs service processing on the received packet, When the second service processing unit is called by the call, the service processing is virtually performed on the received packet, and when the second service processing unit is called, the server performs the second service processing. Service processing is actually performed on the received packet instead of the unit.

  The connection state for the received packet is managed by the connection state management unit, and the server detects the state of the upper layer of the received packet, and based on the detection result of the state of the upper layer, Preferably, the connection state of the received packet to be managed is updated, and the relay unit filters the same connection received packet based on the connection state of the updated connection state management unit.

  One aspect of the program of the present invention is a program that can be executed by a relay unit and a server that performs a service process on a received packet and relays the received packet. A function for calling a first or second service processing unit for performing service processing on a target, a function for performing service processing on the received packet when the first service processing unit is called by the call, and a function for calling When the second service processing unit is called, a function of virtually processing the received packet is realized. When the second service processing unit is called in the server, the second service processing unit And a function of actually performing service processing on the received packet instead of the second service processing unit.

  The connection state management unit manages the connection state for the received packet, the function for detecting the upper layer state of the received packet in the server, and the connection result based on the detection result of the upper layer state. The function of updating the connection state of the received packet managed by the state management unit, and the relay unit filtering the same connection received packet based on the updated connection state of the connection state management unit It is desirable to realize the function to perform.

  In the present invention, service processing is performed by the external service processing unit of the server in response to the calling of the calling unit. At this time, the calling unit is made to appear to be performing processing in the relay unit, and the existence of the server and service processing that are actually performing processing is concealed.

  For this reason, the calling unit cannot recognize which service processing is being performed on which server by the second service processing unit. Therefore, even if there is an addition / change in the service processing of the server or the external service processing unit, it is not necessary to change the setting of the calling unit based on the addition / change.

  Further, in the present invention, when service processing is performed by the server, received packets are temporarily stored in a processing request queue, and during this time, received packets of the same connection are processed.

  For this reason, for example, even when complicated processing is performed by the server, it is not necessary to stop processing of the same connection reception packet until the complicated processing is completed, and the same connection reception packet can be processed one after another.

In addition, the service processing performed by the server is performed using the time available for the CPU used in the relay processing of the received packet in the relay unit.
For this reason, it becomes possible to give priority to the relay process performed by the relay unit over the service process performed by the server.

  Also, in the present invention, in the service processing performed by the server, the state of the upper layer of the received packet is detected, and the connection state of the received packet managed by the connection state management unit based on the detection result of the state of the upper layer Update. Then, the same connection reception packet received by the relay unit is filtered based on the updated connection state.

  For this reason, it is possible to cause the server to update the connection state based on the state detection of the upper layer, and the relay unit can perform the filtering process simply by referring to the updated connection state.

  In the present invention, the server processing information and the service processing identification information provided by the server for registering the service processing for the received packet from the relay unit to the server are registered in the service list.

  For this reason, by transferring the server information and the service processing identifier provided by the server to the service list of the relay unit from the server, the server to which the relay unit distributes the packet can be changed.

  As described above, according to the present invention, even when a server that performs service processing is added or changed, the change can be easily performed. In addition, the relay process can be performed at high speed.

Hereinafter, the best mode for carrying out the present invention will be described in detail with reference to the drawings.
FIG. 1 is a diagram for explaining the principle of a hierarchical packet processing technique applied to the present invention. This hierarchical packet processing technique is a technique that is preferably applied in a relay system connected between different or similar networks, and packet processing is performed by distributing the packet service processing for received packets between the relay unit and the server. High-speed relay processing is realized.

This figure is a logical block diagram of a processing system for performing the packet service processing of the relay unit and the server.
The relay unit 1 shown in FIG. 1 includes a calling unit 1-1, a service processing unit 1-2, and a virtual service processing unit 1-3. The server 2 shown in FIG. 2 includes a virtual call unit 2-1 and an external service processing unit 2-2.

  The calling unit 1-1 of the relay unit 1 calls the service processing unit 1-2 or the virtual service processing unit 1-3 according to the received packet, and calls the service processing unit 1-2 or the virtual service processing unit 1-3. The service processing for the received packet is executed independently of each other.

  The service processing unit 1-2 performs packet by packet processing such as timer update processing and packet passing / discarding processing, for example, while referring to a connection state management unit described later that manages a connection state corresponding to the received packet. To run.

  The virtual service processing unit 1-3 entrusts the execution of the service process to the received packet to the virtual call unit 2-1 of the server 2, and further receives the execution result of the service process from the virtual call unit 2-1. By receiving it, the calling unit 1-1 is made to appear as if the virtual service processing unit 2-1 executes the service processing (hereinafter referred to as external service processing) executed by the server 2. As a suitable example of the external service process, there is a stateful process in which the upper layer of the received packet is analyzed to update the state of the corresponding connection of the connection state management unit.

  On the other hand, the external service processing unit 2-2 of the server 2 is virtually called by the virtual calling unit 2-1, and is transferred from the virtual service processing unit 1-3 of the relay unit 1 to the virtual calling unit 2-1. The commissioned external service process is actually executed, and the execution result is given to the virtual call unit 2-1. Then, the virtual call unit 2-1 returns the execution result to the virtual service processing unit 1-3 of the relay unit 1. At this time, when the stateful process is applied as the external service process, the connection state management unit is configured to be updateable from the server 2, and the corresponding part of the connection state management unit is also updated.

  It should be noted that information registration and change of registered information regarding what kind of service processing is entrusted to the server 2 from the relay unit 1 and to which server 2 the service processing is distributed are the server 2 and the virtual service processing unit 1-3. Will do.

  Thus, according to the present hierarchical packet processing technique, not only the relay unit 1 but also the server 2 can execute service processing for received packets. In this case, in particular, if the relay unit 1 performs packet by packet processing and the server 2 performs complicated and heavy processing (stateful processing) for updating the connection state management unit, the relay unit 1 updates the connection state management unit. Therefore, it is not necessary to perform the complicated and heavy processing. For this reason, the relay unit 1 can perform simple and light processing such as determining the passage / discard of the received packet with reference to the connection state management unit or updating the timer. Further, since the service processing of the relay unit 1 and the server 2 is performed independently of each other, the service processing of the relay unit 1 is sequentially performed on the received packets without waiting for the service processing of the server 2 that takes a long processing time to end. Packet relay is faster. In addition, no matter what external service processing is executed on any server 2, the calling unit 1-1 of the relay unit 1 only calls a virtual service process that looks like a predetermined service process. It is possible to change the type of external service processing to be executed on a received packet and the transfer destination of a server that performs the external service processing without changing each unit or setting for performing -1 call setting or packet by packet processing. Further, since the calling of the external service by the calling unit 1-1 of the relay unit 1 is virtualized as if it is performed from the virtual calling unit 2-1 of the server 2, the external service processing unit of the server 2 2-2 does not need to be aware of the setting change of the opposite relay unit 1.

  In particular, the functions of the virtual service processing unit 1-3 and the server 2 are realized by software, and the parts that perform packet by packet processing are realized by hardware. You can enjoy the flexibility to change the setting of external service processing.

Subsequently, an implementation example of the logic block will be described.
In this example, an example in which this mechanism is implemented in Linux (registered trademark) is shown.

FIG. 2A is an implementation example of the relay unit 1 of FIG.
According to the figure, the relay unit 1 can be configured by “NF_HOOK” 10-1, a service processing unit 10-2 that provides a packet by packet processing kernel function, and a virtual bottom half processing unit 10-3.

  “NF_FOOK” 10-1 in the figure is a function in the kernel. The “NF_FOOK” 10-1 refers to the header information of the received packet or a connection state management table (not shown) in which the state of the connection to the received packet is described. It is determined whether or not the service processing provided by the virtual bottom half processing unit 10-3 is executed.

  If it is determined that the service processing provided by the service processing unit 10-2 is to be executed on the packet, the processing provided by the corresponding packet by packet processing kernel function is executed, and the processing result Get. Further, when the determination result is to cause the packet processing to be performed by the virtual bottom half processing unit 10-3 (that is, external service processing), the virtual bottom half processing unit 10 -3 to obtain a packet after service processing from the virtual bottom half processing unit 10-3.

  When the packet by packet processing kernel function is called, the service processing unit 10-2 executes corresponding processing implemented in the kernel (for example, filtering processing based on timer update or connection state management table reference) for the received packet. To do.

The virtual bottom half processing unit 10-3 makes it appear to the “NF_FOOK” 10-1 that it is processing the packet passed from the “NF_FOOK” 10-1, and performs the actual processing on the server 2 Let me do it. In this example, the virtual bottom half processing unit 10-3 is described as a user process. Accordingly, the virtual bottom half processing unit 10-3 includes a processing request queue (ip provided from the kernel so that the processing can be exchanged between the “NF_FOOK” 10-1 which is a function in the kernel and the user process. queue) 10-3-1 is used. The virtual bottom half processing unit 10-3 further includes a process fetch / write function 10-3-2 for exchanging processes with the process request queue 10-3-1, A transfer function 10-3-3 for transferring a processing request for external service processing for a packet to the server 2 in FIG.

  The transfer function 10-3-3 includes a service list in which identification information of an external service process to be executed on a received packet and information of the server 2 that executes the external service process are recorded in a rewritable manner. Based on this, a predetermined external service process for the received packet is entrusted to a predetermined server 2. Also, information transmitted from the server 2 (for example, service list update information, external service processing result information, etc.) is received.

  The process fetch / write function 10-3-2 retrieves process information from the process request queue 10-3-1, edits the process information so that the server 2 can perform external service processing, and transmits the process information from the server 2. The result information is reflected in the corresponding packet, and the reflected packet is written in the processing request queue 10-3-1.

FIG. 2B is an implementation example of the server 2 of FIG.
According to the figure, the server 2 can be configured by a virtual “NF_FOOK” 20-1 and a “hook bottom half execution kernel function” 20-2.

  The virtual “NF_FOOK” 20-1 in FIG. 10 includes a transfer function 20-1-1 for returning a processing response (for example, processing result of external service processing) to the relay unit 1, and a “hook bottom half execution kernel function”. The processing call function P for calling the processing in the kernel of the server 2 provided by 20-2 is provided in the form of the proxy thread SP. Further, in the virtual “NF_FOOK” 20-1, a part of the process call function P (that is, the process call function K in the figure) is arranged in the kernel. In this example, the hook bottom half function is applied to the “hook bottom half execution kernel function” 20-2. However, this processing gives priority to the CPU (central processing unit) processing that must be performed with priority. A process that is a function to be executed and is registered as the “hook bottom half execution kernel function” is executed at the timing when the above priority process ends (for example, the CPU idle time).

  The transfer function 20-1-1 receives a processing request transmitted from the relay unit 1, and transfers a result of an external service process executed for the processing request to the corresponding relay unit 1. Also, the service list provided in the transfer function 10-3-3 of the relay unit 1 is updated (addition / deletion / change of the type of external service, addition / deletion / change of server information providing the external service, etc.). .

  The process call function P calls the “hook bottom half execution kernel function” 20-2 via the process call function K in the kernel by a system call, and is based on the process request received by the transfer function 20-1-1. Execute the process. When the execution result is received, it is transferred to the transfer function 20-1-1.

  In the above process, a connection state management table (not shown) is updated as appropriate. If the server 2 and the relay unit 1 are equipped with the connection state management table, the transfer function 20-1-1 and the relay unit of the server 2 are updated based on the update of the connection state management table of the server 2. The connection state management table of the relay unit 1 can be synchronized via the transfer function 10-3-3. If each of the relay unit 1 and the server 2 is equipped with a connection state management table in this way, the connection state management table of the server 2 is set as a state rewriting target, and the connection management table of the relay unit 1 is referred to or a timer is updated. Can be used properly.

Further, it can appear to the “hook bottom half execution kernel function” 20-2 side as if called from “NF_FOOK” in its own kernel.
Needless to say, the relay unit 1 and the server 2 have a relay system (hereinafter referred to as a hierarchical packet processing system) that executes their independent processing by a common CPU, and a hierarchical packet that is executed by different CPUs. Can be implemented in a processing system. In particular, when implemented in a hierarchical packet processing system having a common CPU, the above-mentioned hook bottom half function causes the CPU to preferentially execute the packet by packet processing of the relay unit 1, and the external service processing of the server 1 You can make use of the free time of the.

  FIG. 3 is a functional block diagram of the hierarchical packet processing system when the relay unit 1 and the server 2 are separately mounted on different devices (relay devices and servers) connected via a communication cable.

The relay device 300 and the server 350 of the present example are connected to each other via a communication cable.
In the functional block diagram of the hierarchical packet processing system 30 shown in the figure, the functions of the relay device 300 and the server 350 are shown separately for each of the devices 300 and 350. As shown in the figure, the relay device 300 includes a kernel unit 301 and a resident program (hereinafter referred to as a daemon) 302 surrounded by a broken line in the figure, and the server 350 includes a kernel unit. A daemon 352 surrounded by a broken line in FIG.

  The daemon 302 includes a mount thread 303, a signaling thread 304, a proxy thread 305, and a service list such as a reception table, a distribution table, and a table ID, which will be described later, as shown in FIG. The daemon 352 also has threads (mount thread 353, signaling thread 354, and proxy thread 355) having similar functions, and transfer information such as a transmission table, a reception table, and a table ID described later (corresponding to the service list). Information).

  Each of the mount threads 303 and 353 includes a packet capturing network interface (IF1 and IF2 in the figure) set in the relay device 300 and a network interface (virtual IF1 and IF2 in the figure) that is virtually set in the server 350. This is a process (mounting process) for creating mapping information with the virtual IF 2) on both devices 300 and 350.

  When the administrator executes the mount command 356 in the server 350, an IF is specified from the mount information 357 of the server 350, and a mount request for the IF is transmitted to the relay apparatus 300. In the relay device 300, the administrator previously executes the mount permission list setting command 306 in the relay device 300, and sets an IF that permits mounting in the mount permission list 307. Therefore, the mount request transmitted from the server 350 is based on the setting contents of the mount permission list 307 (setting that allows or disallows the IF to be mounted) for the IF that made the mount request. A mount permission response is returned to the server 350. By this mounting process, the IF tunnel correspondence information is set in the reception table 308 of the relay device 300 and the transmission table 358 of the server 350, and the real IF of the relay device 300 is virtually created on the server 350.

  When the mount permission list setting command 306 is executed by the administrator, for example, among the network interfaces on the relay device 300, the network interfaces designated as external service processing targets of the server 350 (IF1, IF2 in the figure). ) Can be registered in the hook handler described later.

  Further, when there are a plurality of servers 350, the network interface on the relay device 300 to be provided of the service needs to be associated with the virtual IF on the plurality of servers 350. The mapping information between the network interface of the device 300 and the virtual IFs of the plurality of servers 350 is set in the reception table 308 of the relay device 300 and the transmission table 358 of the server 350 using the port number of the process.

  Each of the signaling threads 304 and 354 is a process (signaling process) for setting so that the external service processing provided by the server 350 can be used from the relay apparatus 300. In the signaling process, when an external service process is called on the relay device 300, the transfer request message is transferred between the devices 300 and 350 so that the processing request message can be transferred from the relay device 300 to the predetermined server 350. Set. In this signaling process, for example, the administrator executes a service activation command 359 on the server 350 shown in FIG. 3 to activate a predetermined service module included in the server 350 so that it can be called from the relay device 300. The correspondence table with the service module of the server 350 called by the relay device is set in the distribution table 309 of the relay device 300 and the reception table 359 of the server 350. This process will be described in detail later.

  The daemon 302 and the daemon 352 include a table ID 310 and a table ID 360, respectively. In these, the location of a later-described state table (partly corresponding to the connection state management table) provided in both the kernel unit 301 of the relay device 300 and the kernel unit 351 of the server 350 is designated.

  The proxy threads 305 and 355 cause the server 350 to process a specific packet detected by the connection tracking process described later in the relay apparatus 300, or to be described later implemented in the kernel units 301 and 351 of the relay apparatus 300 and the server 350. This is a process (proxy process) for synchronizing the state table.

  The proxy thread 305 receives the specific packet from the kernel unit 301, extracts all of the packet or only information necessary for external service processing (hereinafter referred to as necessary information) from the packet, The processing request message including the packet or the necessary information is transmitted to the proxy thread 355 of the corresponding server 350 according to the transmission table 308 and the distribution table 309 set by the signaling process. On the other hand, when the proxy thread 355 receives the processing request message, the proxy thread 355 passes the processing to the kernel unit 351 to execute the corresponding service processing, and receives the processing result from the kernel unit 351. In accordance with the transmission table 358 and the reception table 359 set by the mount process and the signaling process, the proxy thread 355 uses the processing result (for example, change information, information notifying that the packet is passed or discarded) as a processing response message. Send to proxy thread 305. Then, the proxy thread 305 returns the processing result to the kernel unit 301. Furthermore, when the proxy thread 355 detects the update of the state table implemented in the kernel unit 351, the proxy thread 355 transmits the update information as a table synchronization message to the proxy thread 305 specified by the table ID, and the proxy thread 305 Updates the state table implemented in the kernel 301.

Next, the kernel part will be described.
In the kernel unit 301 of the relay apparatus 300, the packet processing path is indicated by a thick arrow. In the processing path of this example, five hook processing units 311 to 315 and two routing processing units 316 (316-1, 316-2) are mounted. Furthermore, a hook information table 317, a hook handler 318, a state table 319, and a filter rule 320 are implemented.

  The hook information table 317 is a connection tracking (or contrack) that entrusts a server to packet by packet processing for performing simple processing, such as timer update processing, filter processing for packet passing / packet discarding, or complicated processing. It is a table that can register a plurality of processes such as processes (hereinafter, also referred to as connection tracking processes when some packet by packet processes are included). Although only the hook information table 317 of the hook processing unit 311 shown at the position closest to the packet intake port (IF1 in the same figure) of the processing path is shown in FIG. ˜315 are also provided with hook information tables. Each hook processing unit 311 to 315 sequentially executes the processing registered in the hook information table corresponding to each hook processing unit 311 to 315 with respect to the received packet.

  In this example, the hook information table is set so that the hook processing unit 311 and the hook processing unit 314 execute the connection tracking process, and the other hook processing units 312, 313, and 315 perform the filter process (the rule setting unit 321 in the figure). Referring to the filter rule 320 in which the filtering policy can be freely rewritten and the state table 319 (to be described later) for managing the session state, the hook is performed so as to execute the process of determining whether the received packet is passed or discarded. An information table is set.

  The hook handler 318 is a function called during connection tracking processing set in the hook information table 317, and performs connection tracking processing on received packets based on the hook handler 318. When this connection tracking process is executed, the state table 319 is referred to as appropriate.

  Although not particularly shown, the hook processing unit 314 in which connection tracking processing is set in the hook information table also has the same configuration as the hook processing unit 311.

  Further, the state table 319 and the filter rule 320 can be referred to from other hook processing units for which filter processing is set in the hook information table.

When the connection tracking processing is executed in the hook processing unit 311 (similarly, the hook processing unit 314), for example, when the packet by packet processing is performed, the packet is transferred to the previous processing unit as soon as the timer is updated. When outsourcing processing is performed, the processing request queue (ip queue) 322 queues the packet, entrusts the processing to the server 350, and the hook processing unit 311 (similarly, the hook processing unit 314) receives the next packet. The processing request queue 311 is a function of the kernel unit 301 and provides a mechanism that allows a packet to be borrowed from the kernel unit 301 and handled in the user space.

Communication between the processing request queue 322 of the kernel unit 301 and the daemon 302 is performed via a kernel socket (NETLINK) 323 shown in FIG.
As described above, a state table that is paired with the state table 319 is mounted on the kernel unit 351 of the server 350. In this example, as a mechanism for realizing the synchronization of the state tables of each other, a socket (CT-NETLINK) 324 shown in the kernel unit 301 of the relay device 300 and the kernel unit 351 of the server 350 is provided.

  On the other hand, in the kernel unit 351 of the server 350, the hook bottom half 361, the service call module 362, and the state table 363 that is paired with the state table 319 mounted in the kernel unit 351 of the relay apparatus 300 are mounted. .

  The hook bottom half 361 includes a bottom half handler (mechanism for processing a routine registered in a queue in the kernel), and in response to a call from the service call module 362, sets the corresponding service module to a free time of the CPU. Execute and return the processing result to the service module.

Further, the state table 363 is updated according to the execution result.
The service call module 362 communicates with the daemon 351 through a kernel socket 364 shown in the figure.

  As described above, the socket (CT-NETLINK) 365 shown in the figure includes a state table 363 mounted on the kernel 351 of the server 350 and a state table 319 mounted on the kernel unit 301 of the relay device 300. It is a mechanism for synchronizing.

  The state table 363 is a table for managing the state of the currently recognized connection. In this example, the state table 363 is used together with an expect table (not shown) for managing information on a connection expected to be created in the future. Note that the state table 319 is used alone.

FIG. 4 is a table example of the state table 319, 363 and the expect table (not shown in FIG. 3) used together with the state table 363.
FIG. 4A is an example of the state table 363 (or 319).

  In the state table 400 shown in the figure, the identification symbol “T1” of the currently recognized connection is registered in the “upstream tuple” column 401 for identifying the connection, and the attribute information of the connection of “T1” is stored. , “SRC IP” field 402, “SRC PORT” field 403, “DST IP” field 404, “DST PORT” field 405, “protocol type” field 406, “L3status” field 407, “L4status” field 408, “helper” ”Column 409,“ expecting ”column 410,“ master ”column 411, and“ timeout ”column 412.

FIG. 4B is an example of the expect table.
In the expect table 450 shown in the figure, the target that expected the connection is registered in the “expecting” column 451, and information on the expected connection is stored in the “SRC IP” column 452, the “SRC PORT” column 453, and the “DST”. “IP” column 454, “DST PORT” column 455, and “protocol type” column 456 are set.

The expected connection set in the expect table 450 is used as a candidate newly set in the state table 400.
Next, the flow of each process performed under the above configuration will be described below with reference to FIG.

  FIG. 5 is a processing flow of the packet processing path shown in the kernel unit 301 of the relay apparatus 300 of FIG. In the following description, portions corresponding to those in FIG. 3 will be described using the reference numerals in FIG.

  When a packet is received from IF1, first, the hook processing unit 311 sequentially executes the processes registered in the hook information table 317 for the packet (S500). In this example, since the connection tracking process is registered in the hook information table # 1 (hook information table 317 in FIG. 3), the hook processing unit 311 connects with a hook handler (not shown) (hook handler 318 in FIG. 3). Execute tracking processing.

  In this connection tracking process, for example, a packet by packet process or an outsourcing process is performed according to the state of the received packet or the state of the session corresponding to the received packet. When the packet by packet processing and the outsourcing processing are completed, the packet is sent to the subsequent processing unit, and the connection tracking processing is performed on the next received packet. In particular, when the above-mentioned outsourcing process is executed, the packet can be temporarily transferred to the processing request queue 322 and the server 350 can be requested to process the packet. During this time, the hook processing unit 311 receives the next packet. Processing can be executed. Therefore, if the subsequent packet requires outsourcing processing, the packet can be further held in the processing request queue 322, so that the relay processing of the subsequent received packet can be performed smoothly. Note that if the result of the outsourcing processing is not discarded, the hook processing unit 311 executes the remaining processing registered in the hook information table # 1 for the packet reflecting the outsourcing processing.

  Subsequently, the processing for the packet is taken over by the routing processing unit 316-1. The routing processing unit 316-1 searches the routing table (S502), and determines whether the packet is a packet addressed to the own station. (S504).

  If the packet is addressed to the own station, the processing for the packet is taken over by the hook processing unit 312, and the hook processing unit 312 sequentially executes the processing registered in the hook information table 317 for the packet. (S506). In this example, the hook processing unit 312 sequentially executes the filter processing registered in the hook information table # 2. Finally, only the permitted packet is received by the application (S508).

  On the other hand, if it is determined in step S504 that the packet is not addressed to the local station, the processing for the packet is taken over by the hook processing unit 313, and the hook processing unit 313 registers the packet in the hook information table 317. A certain process is executed in order (S510). In this example, the hook processing unit 313 sequentially executes the filter processing registered in the hook information table # 5. Further, the processing for the packet is taken over by the hook processing unit 315, and the hook processing unit 315 sequentially executes the processing registered in the hook information table 317 for the packet (S512). In this example, the hook processing unit 315 sequentially executes the filter processing registered in the hook information table # 4. Finally, only the permitted packet is transmitted to IF2 (S514).

  When a packet is transmitted from the application, first, the hook processing unit 314 first executes the processes registered in the hook information table in order for the packet. In this example, the hook processing unit 314 sequentially executes the connection tracking process registered in the hook information table # 3 (S516). Note that the connection tracking process is the same as that of the hook processing unit 311, and thus detailed description thereof is omitted here.

  Subsequently, routing processing is executed in the routing processing unit 316-2 (S518). Further, processing for the packet is taken over by the hook processing unit 315, and the hook processing unit 315 registers the packet in the hook information table 317. The processes are sequentially executed (S512). In this example, the hook processing unit 315 sequentially executes the filter processing registered in the hook information table # 4. Finally, only the permitted packet is transmitted to IF2 (S514).

FIG. 6 is an example of a signaling sequence.
The signaling sequence is a process of setting the service process provided by the server 350 so that it can be used from the relay apparatus 300 side.

First, the server 350 accepts the service activation command 359 (SS600).
Subsequently, the service call module 362 of the kernel 351 is activated based on the reception process (SS602).

  Subsequently, the service module provided by the hook bottom half 361 of the kernel 351 is activated (SS604). In this processing, a service module is incorporated in the kernel unit 351 for external service processing.

  Then, after associating the service with the tunnel number, payout is performed (SS606), and a service start notification for notifying the start of the service is transmitted to the relay apparatus 300 (SS608).

  When receiving the service start notification from the server 350, the relay apparatus 300 receives service information for the external service process (for example, the identifier of the external service process / the type of packet to which the external service process is applied (for example, the source address or the transmission (IP address, tunnel number, etc. of the server 350 that entrusts the external service processing from the relay device 300) to the distribution table 309 (SF600).

  Furthermore, for example, when the hook handler 318 can be set to switch whether or not to execute outsourcing processing, the hook handler 318 is set so as to transfer the corresponding packet to the processing request queue 322 (SF602). .

Then, the relay device 350 returns a service start response to the server 350 indicating that the service start notification has been accepted (SF604).
Upon receiving the service start response from the relay device 300, the server 350 displays the registration result of the external service process on the command line (SS610).

FIG. 7 is an example of messages exchanged between the server 350 and the relay device 300 in the signaling sequence.
FIG. 7A shows a message format, FIG. 7B shows an example of the message content of the service start notification, and FIG. 7C shows an example of the message content of the service start response.

  The message format 700 of FIG. 7A includes a “source IP address” column 702 for storing the IP address of the transmission source device of each message in the “common header” 701 and the IP address of the transmission destination device of each message. A “destination IP address” column 703 for storing the message, a “type” column 704 for storing the type of each message, and a “message length” column 705 for storing the message length. In the “message specific part” field 706, a “detail code” 707 for storing information indicating start and stop of the service and an identification information of the external service provided from the server 350 to the relay apparatus 300 are stored. ”Column 708, and a“ processing result ”709 column for storing information indicating an acceptance result of the relay apparatus 300 for the external service provided from the server 350.

As shown in FIG. 7B, the service start notification message 710 stores the following contents according to the message format 700.
The “source IP address” column 702 stores “the IP address of the server 350”, which is the transmission source device of the service start notification message 710, and the “destination IP address” column 703 stores the service start. The “IP address of the relay device 300”, which is the destination device of the notification message 710, is stored, the information indicating the service start notification is stored in the “type” column 704, and the message is stored in the “message length” column 705. Stores the length. Furthermore, information indicating the start or stop of the service is stored in the “detail code” 707 column, and the identification information (external service identification information (from the server 350 to the relay device 300) provided in the “service ID” column 708 ( The external service identifier and the packet type to which the external service is applied) are stored. Note that the column “processing result” 709 is not used in the service start notification.

As shown in FIG. 7C, the service start response message 720 stores the following contents according to the message format 700 described above.
The “source IP address” column 702 stores “IP address of the relay device 300”, which is the source device that transmits the service response notification message 720, and the “destination IP address” column 703 stores The “server 350 IP address” that is the destination device of the service start notification message 710 is stored, information indicating a service start response is stored in the “type” column 704, and the “message length” column is stored. In 705, the message length is stored. Furthermore, information indicating the start or stop of the service is stored in the “detail code” 707 column, and the identification information of the external service of the server 350 used in the relay device 300 is stored in the “service ID” column 708. The information indicating whether or not the processing has been normally performed is stored in the “processing result” field 709.

  FIG. 8 is a packet processing sequence in the relay apparatus 300 and the server 350 when the outsourcing process is performed when the connection tracking process is executed in the hook processing unit 311 (or the hook processing unit 314) of the relay apparatus 300.

First, the hook processing unit 311 (or hook processing unit 314) of the relay device 300 receives a packet (S800).
Subsequently, by executing the connection tracking process in the hook processing unit 311 (or hook processing unit 314), it is checked whether or not the packet is a packet to be subjected to the outsourcing process (S802), and further, the service target IF It is checked whether or not the packet is received from (S804).

  If both are YES, the packet is transferred to the processing request queue 322, and the packet is transferred from the processing request queue 322 to the proxy thread 305. The proxy thread 305 extracts information (partial packet information) necessary for external service processing in the packet, and sends a processing request message based on the partial packet information and information registered in the reception table 308 and the distribution table 309. Create (S806). At this time, if the IP address of the server 350 as the transmission destination is the same, a plurality of processing requests can be collectively stored in one processing request message.

Then, the processing request message is transmitted to the server 350 (S808).
When the server 350 receives the processing request message transmitted from the relay apparatus 300 by the proxy thread 355, the service bottom module 361 receives the service module corresponding to the processing specified by the processing request message via the service call module 362. And the process is executed using, for example, CPU idle time (S810). In the processing in the hook bottom half 361, other processing is preferentially executed, and a service module registered in the hook bottom half is executed in the idle time of the processing.

  Subsequently, the processing result of the service module in the hook bottom half 361 is passed to the proxy thread 355 via the service call module 362, and if the processing result is to update the state table, the state table 363 is updated (S812). ).

  Then, the proxy thread 355 creates a processing response message based on the processing result and information registered in the transmission table 358 and the reception table 359, and transmits the processing response message to the relay apparatus 300 that has requested the processing of the processing response message. (S814). By this transmission, in the processing request queue 322 of the relay device 300, the packet is discarded according to the processing result, or the processing result is reflected in the packet, and the original hook processing unit 311 (or the hook processing unit 314). ) Or the packet after the reflection is returned.

  Further, when the state table 363 is updated, a table synchronization message including the update information is created by the server 350 (S816), and the table synchronization message is transmitted to the relay device 300 (818).

  When receiving the table synchronization message from the server 350, the relay device 300 reflects the update information in the state table 319 of the relay device 300 (S820), and returns a table synchronization response message to the server 350 (S822). Thus, the state tables can be synchronized with each other.

Then, the relay device 300 performs packet relay processing (S824).
9 and 10 show examples of the various messages.
FIG. 9A shows an example of the processing request message.

  Compared with the message format of FIG. 6, in the processing request message 900, information indicating the processing request message is stored in the “type” 901 column, and the sequence number of the processing request is stored in the “sequence number” column 902. The service caller identifier is stored in the “MARK value” column 903. A plurality of processing requests can be stored together for one processing request message.

FIG. 9B is an example of the processing response message.
Compared with the message format of FIG. 6, the processing response message 950 stores information indicating the processing response message in the “type” 951 column and stores the sequence number of the processing request in the “sequence number” column 952. The service caller identifier is stored in the “MARK value” field 953. A plurality of processing responses can be stored together for one processing response message.

FIG. 10A shows an example of the table synchronization message.
In the table synchronization message 1000, information indicating the table synchronization message is stored in the “type” column 1001, and the identifier of the target service used to recognize the table to be synchronized is stored in the “service ID” column 1002. In the “message type” column 1003, message types such as update and deletion are stored. The actual update information is stored in the “option attribute” column 1004.

FIG. 10B is an example of the table synchronization response message.
In this table synchronization message 1050, information indicating a table synchronization response message is stored in the “type” column 1051, and the identifier of the target service used for recognizing the table to be synchronized is stored in the “service ID” column 1052. Then, the update result (normality, abnormality, etc.) is stored in the “processing result” column 1053.

FIG. 11 is an example of a connection tracking process executed by the hook handler 318 of the relay device 350.
When the hook processing unit 311 (or the hook processing unit 314) receives a packet and the connection tracking process specified in the hook information table 317 is called, the hook handler 318 executes the following processing.

First, it is determined from the packet header whether or not the packet is a fragment packet (S1100).
When it is determined that the packet is a fragment packet, the virtual service processing unit is called, and the processing for the packet is taken over by the virtual service processing unit (S1102). The packet processing is taken over by the virtual service processing unit by passing the packet to the processing request queue 322.

 If it is determined in step S1100 that the packet is not a fragment packet, first, in order to see the state of the packet, first, “source IP address (SRC IP)” and “source port number (SRC) in the packet header are checked. STATE) ”,“ Destination IP address (DST IP) ”, and“ Destination port number (DST PORT) ”are searched for the state table 319 (S1104).

  Then, whether or not the packet is a packet that can be processed in the relay apparatus 300 is determined based on the attribute information hit by the search of the packet and the state table 319 (S1106).

  In this example, when the state of the L3 connection is “IPS_ASSURED”, the state of the L4 connection is “eES”, and the TCP (Transmission Control Protocol) flag is not one of SYN / FIN / RST, Is used as a criterion for making the packet processable. Therefore, a packet (TCP packet whose SYN flag is SYN) or a packet which disconnects a connection (packet whose TCP flag is FIN) or the like to establish a connection from now on does not satisfy the above determination criteria. The service processing unit is called, and the processing for the packet is taken over by the virtual service processing unit (S1108).

On the other hand, if the packet satisfies the determination criterion, the session of the state table 319 is refreshed by timer (time-out value is updated) (S1110).
Then, the process is returned to the caller of the connection tracking process (S1112), and if there is a process following the hook information table, the process is executed on the packet.

When the process is taken over by the virtual service processing unit, the next packet is executed from step S1100.
FIG. 12 is an example of the takeover process of the connection tracking process of the server 350 that has taken over the process in the connection tracking process.

When the processing request message is received from the relay device 300, first, it is determined whether or not it is a request for defragment processing (S1200).
If it is determined that the process is a defragmentation process, the necessary information stored in the processing request message (the whole fragment packet can be used, but in this example, the necessary information extracted from the entire packet or the fragment packet is Defragmentation processing is executed on the processing request message (assumed to be stored in the processing request message) (S1202).

  When the defragment processing for the necessary information is completed, it is determined whether or not the defragment processing for all the information related to the necessary information has been completed (S1204). The server 350 holds that the necessary information is held by the server 350 and transmits it to the relay device 300 (S1206). With this process, when a fragment packet related to the necessary information held in the server 350 is received by the relay device 300, the necessary information of the received packet is transmitted from the relay device 350 to the server 350, The server 350 repeatedly executes the defragmentation process for these necessary information. Then, for example, the server 350 receives all necessary information to be defragmented within a predetermined time, and the defragmentation process is completed.

  If it is determined in step S1200 that the defragment processing is not performed, or if it is determined in step S1204 that the defragmentation is completed, the state table 363 is searched for a connection to which the necessary information belongs (S1208). This search is performed by adding “source IP address (SRC IP)”, “source port number (SRC PORT)”, “destination IP address (DST IP)”, and “destination port number” added to the necessary information. (DST PORT) "as a key.

  Here, it is determined whether or not the connection is registered in the state table 363 (S1210). If not, the attribute information of the connection included in the necessary information is newly registered in the state table 363 (S1212).

  If it is determined in step S1210 that there is a registration, or if it is newly registered in the state table 363 in step S1212, the necessary information is obtained with reference to the setting information in the “L3status” column 407 of the state table 400 in FIG. Event characteristics in the information packet session are determined (S1214). For example, “Is the packet in the original direction”, “Is the packet in the reply direction”, “Is the packet flowed in both directions”, “Is it an expected connection”, or “ Event characteristics are determined according to the setting information such as “Is it set so as not to stutter”, and the event characteristics are set in the table.

  In the case of ICMP (Internet Control Message Protocol), if the event characteristic is “set when the packet is in the reply direction (IP_CT_DIR_REPLY)”, the connection registration information of the packet is deleted from the state table 363, and In the case of event characteristics other than, the timer of the connection in the state table 363 is updated (S1216).

  Further, in the case of UDP (User Datagram Protocol), if the setting information in the “L3status” column 407 is “the packet has flowed in both directions (IPS_SEEN_REPLY)”, “IPS_ASSURED” is set in the “L3status” column 407, Further, the timer of the connection is refreshed. In other cases, the timer of the connection in the state table 363 is refreshed (S1218).

In the case of TCP, the state of “L4status” is updated based on the TCP protocol state transition table.
FIG. 13 is a diagram illustrating a state change of “L4status”.

FIG. 13A shows a case where the event characteristic is in the original direction, and FIG. 13B shows a case where the event characteristic is in the reply direction.
FIG. 13C is a correspondence table between the state of the TCP protocol and the abbreviations used in the above figure.

  In FIG. 13A and FIG. 13B, the horizontal axis indicates the state change of “L4status”, and the vertical axis indicates the type of the TCP header flag of the received packet. However, none is when no flag is set.

For example, when the received packet event characteristic is original and the flag is “syn”, if the previous state of “L4status” is “ssS”, it is updated to “sES”.
If the procedure is correct, IPS_ASSURED is set, otherwise the timer is refreshed (S1220).

Subsequently, it is determined whether or not a processing method for updating the upper application is defined in the “helper” column 409 of the state table 400 (S1222).
In the case of Yes, the state of the upper application is updated (S1224). In the example of the state table 400 in FIG. 4A, “ftp” is displayed in the “helper” column 409. conntrack "is set. In this process, an FTP data session is detected with reference to the data portion of the FTP packet, and information on this data session is registered in the expect table 450.

  When the determination result of step S1222 is No or when the processing of step S1224 is completed, if the packet is “reply”, “the packet has flowed in both directions (IPS_SEEN_REPLY)” in the “L3status” column 407 of the state table 400. Is added (S1226).

  Then, it is determined whether or not the state table 400 has been corrected (S1228). If it is determined that the state table 400 has been corrected, a table synchronization message including information on the correction location is transmitted to the relay device (S1230). If it is determined that the correction has not been made, a processing response is transmitted to the relay device (S1232).

Each process described above can be distributed in the form of a program.
In that case, the program or file may be distributed by recording the program or file on a recording medium such as a floppy (registered trademark) disk, CD-ROM, or DVD, or via a transmission medium used in a public network or the like. It is possible to distribute a part or all of the information. In this case, the user who has received the information from the portable recording medium such as a floppy (registered trademark) disk, CD-ROM, or DVD uses a reading device (a part of the input / output unit) such as a CD-ROM device. The program or file can be copied to an external recording unit, or the program or file can be copied from the Internet to the external recording unit via a computer communication unit. Then, the above-described functions can be realized on the user's computer by being executed by the CPU.

  As described above, in the embodiment of the present invention, even when adding or changing a server that performs service processing, the change can be easily performed. In addition, the relay process can be performed at high speed.

  (Supplementary Note 1) A hierarchical packet processing system including a relay unit and a server that performs a service process on a received packet and relays the received packet. The relay unit performs a service process on the received packet. A calling unit that calls a predetermined service processing unit, a first service processing unit that performs service processing on the received packet by calling the calling unit, and a virtual call on the received packet by calling the calling unit. A second service processing unit that performs service processing, and when the second service processing unit is called from the calling unit, the server converts the received packet into the received packet instead of the second service processing unit. A hierarchical packet processing system, comprising: an external service processing unit that performs arbitrary service processing.

  (Supplementary note 2) When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for the subsequent received packet is continued by the calling unit. The hierarchical packet processing system according to appendix 1, wherein the hierarchical packet processing system is performed by a called service processing unit.

  (Additional remark 3) The said external service processing part performs the said service process using the time which CPU used by the relay process of the received packet in a relay part vacant, The additional description 1 or 2 characterized by the above-mentioned Hierarchical packet processing system.

  (Additional remark 4) It further has a connection state management part which manages the connection state with respect to a received packet, The said external service process part detects the state of the upper layer of the said received packet, and based on the detection result of the state of this upper layer The connection state management unit updates the connection state of the received packet managed by the connection state management unit, and the same connection reception packet received by the relay unit is updated by the external service processing unit. The hierarchical packet processing system according to any one of appendices 1 to 3, wherein the filtering process is performed based on the connection state.

  (Supplementary Note 5) The service processing performed by the first service processing unit is limited to packet by packet processing and configured by hardware, and the service processing performed by the external service processing unit is configured by software. The hierarchical packet processing system according to any one of supplementary notes 1 to 4.

  (Supplementary Note 6) The virtual service processing unit distributes service processing for the received packet to the server, so that information on the server that performs the service processing and identification information of the service processing provided by the server are determined according to the type of packet. A service list management unit for managing, wherein the server includes a transfer unit that transfers information of the self server and an identifier of a service process provided by the self server to the service list management unit. The hierarchical packet processing system according to any one of supplementary notes 1 to 5.

  (Supplementary Note 7) Each of the relay unit and the server has a connection state management unit that manages a connection state for a received packet, and a synchronization unit that synchronizes the connection state managed by the mutual connection state management unit. Then, the server causes the external service processing unit to detect the state of the upper layer of the received packet, and based on the detection result of the state of the upper layer, the server of the received packet managed by the connection state management unit The same connection reception packet that is updated in the connection state and received by the relay unit is synchronized by the synchronization unit based on the connection state after the update of the connection state management unit of the server. Filter based on the above connection status after updating the connection status manager Management is the hierarchical packet processing system according to any one of Appendices 1 to 6, characterized in that.

  (Supplementary note 8) The hierarchical packet processing according to any one of supplementary notes 1 to 7, wherein the relay unit extracts only necessary information from an external service processing unit from a received packet and transmits it to the server. system.

  (Supplementary note 9) Any one of Supplementary notes 1 to 8, wherein when the relay unit transmits a reception packet to the server, the relay unit transmits a plurality of reception packets having the same destination to the server at a time. The hierarchical packet processing system according to one.

  (Supplementary Note 10) A relay device that performs service processing on a received packet and relays the received packet, a call unit that calls a predetermined service processing unit that performs service processing on the received packet, and the call A first service processing unit that performs service processing on the received packet by calling a unit, a second service processing unit that virtually performs service processing on the received packet by calling the calling unit, and the received packet When the second service processing unit is called from the calling unit, the predetermined information in the received packet is transmitted to a predetermined server when the second service processing unit is called from the calling unit. A transmitter, a receiver for receiving the information transmitted from the server, and the received result as the received packet. Is a reflection unit that is reflected in the information managed by the connection state management unit, and a filter processing unit that performs filtering on the same connection packet based on the post-reflection information managed by the connection state management unit; The relay apparatus characterized by having.

  (Supplementary Note 11) When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for the subsequent received packet is continued by the calling unit. The relay apparatus according to appendix 10, wherein the relay apparatus is performed by a called service processing unit.

(Supplementary Note 12) The virtual service processing unit distributes service processing for the received packet to the server, so that information on the server that performs the service processing and identification information on the service processing provided by the server are determined according to the type of packet. Having a service list management unit to manage,
The relay device according to appendix 10 or 11, characterized in that.

  (Additional remark 13) It is a server which receives the predetermined information of the packet received by the relay apparatus from the said relay apparatus, Comprising: The connection state management part which manages the state of a connection, and the state of the upper layer of the said packet are detected And a connection state for updating the connection state of the packet managed by the connection state management unit based on the state of the upper layer of the packet detected by the upper layer detection unit A server comprising: an update unit; and a transmission unit configured to transmit update results of the service processing result and the connection state to the relay device.

  (Supplementary Note 14) The server sends its own server information to the service list management unit of the relay device that manages the information of the server that performs service processing and the identification information of the service processing provided by the server according to the type of packet. 14. The server according to appendix 13, wherein the server includes a transfer unit that transfers information and an identifier of a service process provided by the self server.

  (Supplementary Note 15) A method performed in a hierarchical packet processing system including a relay unit and a server, which performs a service process on a received packet and relays the received packet, wherein the relay unit transmits the received packet When the first or second service processing unit that performs service processing on the target is called, and the first service processing unit is called by the call, the service processing is performed on the received packet, and the second service is executed by the call When the processing unit is called, the server virtually performs service processing on the received packet, and when the second service processing unit is called, the server receives the reception instead of the second service processing unit. A method of actually performing service processing on a packet.

  (Supplementary Note 16) When the second service processing unit is called by the call, the received packet is temporarily queued in the processing request queue, and the service processing for the subsequent received packet is subsequently called. The method according to claim 15, wherein the method is performed by:

  (Supplementary note 17) The method according to supplementary note 15 or 16, wherein the server performs the service process by using a free time of a CPU used in the relay process of the received packet in the relay unit.

  (Supplementary Note 18) The connection state management unit manages the connection state for the received packet, and the server detects the state of the upper layer of the received packet, and based on the detection result of the state of the upper layer, the connection state management Updating the connection state of the received packet managed by the relay unit, and the relay unit filtering the same connection received packet based on the updated connection state of the connection state management unit. 18. The method according to any one of appendices 15 to 17, which is characterized.

  (Supplementary Note 19) The relay unit distributes service processing for the received packet to the server, so that information on the server that performs the service processing and identification information of the service processing that the server provides are provided in a service list according to the type of packet. Any one of appendices 15 to 18 managed by the management unit, wherein the server forwards the information of the self server and the identifier of the service processing provided by the self server to the service list management unit. The method according to one.

  (Supplementary Note 20) A program that can be executed by a relay unit and a server that performs a service process on a received packet and relays the received packet, and performs the service process on the received packet in the relay unit A function for calling the first or second service processing unit, a function for performing service processing on the received packet when the first service processing unit is called by the call, and a second service processing unit by the call When the second service processing unit is called in the server, the function of virtually processing the received packet is realized. When the second service processing unit is called in the server, the second service processing unit Instead, a program that realizes a function of actually performing service processing on the received packet.

  (Supplementary note 21) In the relay unit, when the second service processing unit is called by the call, the function of temporarily queuing the received packet in the processing request queue and the service processing for the same connection received packet are performed. The program according to appendix 20, which realizes a function performed by a service processing unit.

  (Additional remark 22) The program of Additional remark 20 or 21 which implement | achieves the function which performs the said service process using the time which CPU currently used by the relay process of the received packet in the said relay part has vacant in the said server.

  (Supplementary Note 23) Based on the function of managing the connection state for the received packet by the connection state management unit, the function of detecting the state of the upper layer of the received packet in the server, and the detection result of the state of the upper layer, The function of updating the connection state of the received packet managed by the connection state management unit, and the relay unit based on the updated connection state of the connection state management unit based on the updated connection state of the connection state management unit The program according to any one of appendices 20 to 22, which realizes a function of filtering.

  (Supplementary Note 24) In the relay unit, in order to distribute the service processing for the received packet to the server, information on the server that performs the service processing and identification information of the service processing provided by the server according to the type of packet Supplementary notes 20 to 23 for realizing the function managed by the management unit and the function of transferring the information of the self server and the identifier of the service processing provided by the self server to the service list management unit in the server The program as described in any one.

(Supplementary Note 25) The first service processing unit processes a packet by packet,
The external service processing unit performs stateful processing.
10. The hierarchical packet processing system according to any one of appendices 1 to 9, wherein

(Supplementary note 26) The relay device according to any one of supplementary notes 10 to 12, wherein the first service processing unit processes a packet by packet.
(Supplementary note 27) Any one of Supplementary notes 15 to 19, wherein the service process that the server actually performs on the received packet instead of the second service processing unit is a stateful process. the method of.

  (Additional remark 28) The service process which the said server actually performs with respect to the said received packet instead of said 2nd service processing part is a stateful process, The additional description 20 thru | or 24 characterized by the above-mentioned Program.

It is a figure for demonstrating the principle of the hierarchical packet processing technique applied to this invention. It is an example of implementation of the hierarchical packet processing technique applied to this invention. It is a functional block diagram of a hierarchical packet processing system. It is a table example of state table 319,363 and expect table. 4 is a processing flow of a packet processing path shown in the kernel unit 301 of the relay apparatus 300. It is an example of a signaling sequence. It is an example of a message. 4 is a packet processing sequence in the relay apparatus 300 and the server 350. Here is an example message: Here is an example message: 6 is an example of a connection tracking process executed by a hook handler 318 of the relay device 350. It is an example of a takeover process of the connection tracking process of the server 350 that has taken over the process in the connection tracking process. It is a figure which shows the state change of "L4status".

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Relay part 1-1 Calling part 1-2 Service processing part 1-3 Virtual service processing part 2 Server 2-1 Virtual calling part 2-2 External service processing part

Claims (13)

A hierarchical packet processing system including a relay unit and a plurality of servers , which performs a service process on a received packet and relays the received packet,
The relay unit is
A calling unit that calls a predetermined service processing unit that performs service processing on the received packet;
A first service processing unit that performs service processing on the received packet by calling the calling unit;
A second service processing unit that virtually performs service processing on the received packet by calling the calling unit;
Have
The second service processing unit distributes service processing for the received packet to any of the plurality of servers, so that information on a server performing the service processing and identification information on the service processing provided by the server are used as a packet type. It has a service list management unit to manage accordingly,
The server
A transfer unit that transfers information of the self server and identification information of service processing provided by the self server to the service list management unit;
When the second service processing unit is called from the calling unit, an external service processing unit that performs arbitrary service processing on the received packet instead of the second service processing unit,
Have
A hierarchical packet processing system.   When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for the subsequent received packet is subsequently called by the calling unit. The hierarchical packet processing system according to claim 1, wherein the hierarchical packet processing system is performed by a processing unit.   3. The hierarchical type according to claim 1, wherein the external service processing unit performs the service processing using a time when a CPU used in the relay processing of the received packet in the relay unit is idle. Packet processing system. A connection state management unit for managing a connection state for the received packet;
The external service processing unit detects an upper layer state of the received packet, and updates the connection state of the received packet managed by the connection state management unit based on a detection result of the upper layer state. ,
The same connection packet received by the relay unit is filtered based on the connection state of the connection state management unit updated by the external service processing unit,
The hierarchical packet processing system according to any one of claims 1 to 3. A relay device that performs a service process on a received packet and relays the received packet,
The relay device is
A calling unit that calls a predetermined service processing unit that performs service processing on the received packet;
A first service processing unit that performs service processing on the received packet by calling the calling unit;
A second service processing unit that virtually performs service processing on the received packet by calling the calling unit ;
The second service processing unit distributes the service processing for the received packet to any of a plurality of servers, so that the information on the server that performs the service processing and the identification information of the service processing provided by the server according to the type of the packet A service list management unit managed by the server, receiving information on the own server transferred from the server and identification information of service processing provided by the server, and calling the second service processing unit from the calling unit. The relay apparatus is characterized in that, when the received packet is received, an arbitrary service process is performed by the server instead of the second service processing unit. A connection state management unit for managing information based on detection of a state of an upper layer of the received packet;
When the second service processing unit is called from the calling unit, a transmitting unit that transmits predetermined information in the received packet to a predetermined server;
A receiving unit for receiving information transmitted from the server;
A reflection unit that reflects the received result on the received packet or the information managed by the connection state management unit;
A filter processing unit that performs filtering on the same connection packet based on the information after reflection managed by the connection state management unit;
The relay apparatus according to claim 5, further comprising : When the second service processing unit is called by calling the calling unit, the received packet is temporarily queued in the processing request queue, and service processing for the subsequent received packet is subsequently called by the calling unit. The relay apparatus according to claim 5 , wherein the relay apparatus is performed by a processing unit. A server that receives predetermined information from packets received by the relay device from the relay device,
Service list management of the relay apparatus that manages information on a server that performs service processing and identification information on service processing provided by the server according to the type of packet in order to distribute service processing for received packets to any of a plurality of servers A transfer unit that transfers information of the self server and identification information of a service process provided by the self server to the unit;
When a service processing unit that virtually performs service processing on the received packet is called in the relay device, an external service processing unit that performs arbitrary service processing on the received packet instead of the service processing unit;
The server characterized by having. A connection status management unit for managing the connection status;
An upper layer detection unit for detecting a state of an upper layer of the packet and performing service processing;
A connection state update unit that updates the connection state of the packet managed by the connection state management unit based on the state of the upper layer of the packet detected by the upper layer detection unit;
A transmission unit for transmitting the result of the service processing and the update information of the connection state to the relay device;
The server according to claim 8, further comprising : A method performed in a hierarchical packet processing system including a relay unit and a plurality of servers , which performs a service process on a received packet and relays the received packet,
The relay unit is
In order to distribute service processing for the received packet to any of the plurality of servers, information on the server that performs the service processing and identification information on the service processing provided by the server are managed according to the type of the packet,
Call a first or second service processing unit that performs service processing on the received packet,
When the first service processing unit is called by the call, service processing is performed on the received packet,
When the second service processing unit is called by the call, virtually performs service processing on the received packet,
The server
To the relay unit, the information of the self server and the service processing identification information provided by the self server are transferred,
When the second service processing unit is called, the service processing is actually performed on the received packet instead of the second service processing unit.
A method characterized by that. The connection status management unit manages the connection status for received packets.
The server
Detecting an upper layer state of the received packet;
Based on the detection result of the upper layer state, update the connection state of the received packet managed by the connection state management unit,
The relay unit is
Filtering the same connection reception packet based on the connection state of the updated connection state management unit,
The method according to claim 10 . A program executable by a relay unit and a server for performing a service process on a received packet and relaying the received packet,
In the relay unit,
A function of managing information on a server that performs service processing and service processing identification information provided by the server according to the type of packet in order to distribute service processing for the received packet to any of a plurality of servers;
A function of calling a first or second service processing unit that performs service processing on the received packet;
When the first service processing unit is called by the call, a function of performing service processing on the received packet;
When the second service processing unit is called by the call, a function for virtually processing the received packet;
Realized,
In the server,
A function of transferring information of the self server and identification information of service processing provided by the self server to the relay unit;
When the second service processing unit is called, a function of actually performing service processing on the received packet instead of the second service processing unit;
A program that realizes A function for managing the connection state for the received packet by the connection state management unit;
In the server,
A function of detecting a state of an upper layer of the received packet;
A function of updating the connection state of the received packet managed by the connection state management unit based on the detection result of the state of the upper layer;
In the relay unit,
A function of filtering the same connection reception packet based on the connection state of the updated connection state management unit;
The program according to claim 12 , which realizes

Images